1. Technical Field
The present invention relates to virus scanning. More specifically, it relates to scanning files in a computer system to detect additional infections of a computer virus when a first infected file is identified.
2. Background Information
Antivirus software is a class of programs that search a computer system for any known or potential malicious software. They are computer programs that attempt to identify, neutralize or eliminate malicious software, which include not only computer viruses, but other threats to a computer system, such as worms, phishing attacks, rootkits, trojan horses or other malware. In this application, the term “computer viruses” is used as an example to describe all malicious programs that antivirus software is designed to handle in this application.
With the fast growth of home or office networks and the wide expansion of the Internet, antivirus software has become a much needed application on computers today, because the increase in connectivity makes it easier for viruses to spread. Antivirus software typically has two different working modes. It either has a virus dictionary and examines (i.e. scans) files in a computer system to look for known viruses matching definitions in the virus dictionary, or performs heuristic analysis by identifying suspicious behavior from any computer program which might indicate infection. The heuristic analysis includes data capture, port monitoring and other methods. Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Often a computer virus infects more than one file in a computer system. Antivirus software has various methods for finding files in a computer system that are infected, from finding the first instance of an infection to finding additional infections once the first instance is found. However, most antivirus software relies on comparing the signature of a file against the signature of a known computer virus when scanning the entire computer system. This method is usually inefficient for finding additional infections.
At the time of this application, antivirus software makers have tried to improve the brute force searching method typically used in finding infections. Many of the attempts to improve antivirus detection have centered on looking for suspicious file behavior. This approach often requires a user to manually confirm or deny whether a file behavior relates to a virus. However, this approach tends to have many false positives, and it is easy for a user to become desensitized when there are too many false warnings. Moreover, even if this approach works well for finding the first instance of an infection, it cannot be applied to effectively search for additional infections, because this approach is fully dependent on file behavior, which is not suited for finding static files that may already be infected. Another approach that antivirus software developers have tried to improve the typical brute force method is to only search among those files that have had an update or create operation done on them. This approach works well for first instance infections, but may require a much broader search than necessary for additional infections due to unrelated and non-infected files that are also created and modified.